Re: using web enrollment for servers etc.

Brian,

I kept messing with it, and I think it is actually working all right. But
the installation telling me that it sucessfully installed a certificate when
it really does not , threw me. It looks like it is only installing
certificates that it can place in the user store. I requested an IPSEC
certificate, which the web enrollment let me do, and I could not get the web
site to actually place this in any store folder. I could do it manually,
but when it came to actually using that certificate, it would not work.
Most likely because the subject needed to be a computer name, and since I
enrolled it using the website, the subject name was a user name instead. So
then why is the IPSEC option even available?

Here is my latest question then.

What exactly can I DO with each of the certificate choices i get under the
advanced option of web enrollment? Lets say I am logged in as "SomeUser".
The choices of certificates are:

Client Authentication
Email Protection - I get this one.
Server Authentication - isnt this a machine cert? so why would I have this
option when my subject would not be a server name?
Code Signing - can this be successfully gotten via web enrollment?
Time Stamp - what is this cert for? again, can it be requested successfully
via web enrollment?
IPSec - this didnt work for a computer (naturally), so is there a purpose I
CAN use it for if I get it via web enrollment with the sunject being a
username, not a computer name?
OtTher -

Many thanks,

Kristin



"Brian Komar" <brian.komar@xxxxxxxxxxxxxxxxx> wrote in message
news:4E44FE9E-53A2-4A16-8892-2E1B813826D8@xxxxxxxxxxxxxxxx
The request is always done in the security context of the user, so you
cannot request typical machine certificates from the Web enrollment pages.
The only type that you can request are ones where the user supplies the
subject in the request.
Brian

"Kristin Griffin" <kristin.l.griffin@xxxxxxxxx> wrote in message
news:eFFgTaObIHA.748@xxxxxxxxxxxxxxxxxxxxxxx
Can the web enrollment feature be used to enroll for only user
certificates? It looks like you can get a server certificate as the
"type" drop down box lists: Server Authentication Certificate.

Can anyone define the limitations of the Web Enrollment feature as
pertains to what inds of certificates you can actaully request and get
successfully?

Thanks!

Kristin




.

Relevant Pages

  • Re: Web Certificate Enrollment security problem
    ... CERTSVC_DCOM_ACCESS security group of the server with the CA (have added ... The only thing that doesn't work is Web enrollment. ... access auditing and logging "issue and manage certificate requests" on the ... Have seen that there is a component "Certsrv Request" when launching ...
    (microsoft.public.security)
  • Re: Offline creation of machine certificates for VPN access
    ... You could let your remote users request via Web Enrollment. ... connect via pptp and then request a certificate via Web Enrollment ...
    (microsoft.public.windows.server.security)
  • Re: unable to request certificate
    ... the second web enrollment issue is associated with kb article 323172. ... > To use the mmc certificate snapins you need to be using an Enterprise CA ... >> I try to request a new certificate in two ways, ... >> certificates from the available CAs ...
    (microsoft.public.win2000.security)
  • Re: Requesting a certificate for another user
    ... we support this for smartcards in the web enrollment pages. ... customization of the web pages and some custom code. ... > I don't want to burden a user with certificate request. ...
    (microsoft.public.win2000.security)
  • [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
    ... The website uses SPKAC using the tag to create a private ... the website creates a TLS client certificate ... During installation, it asks whether you want to install the certificate ... Pops up a 'KDE Certificate Request' wizard during SPKAC ...
    (Full-Disclosure)